samba.git
4 years agolsa.idl: use 'boolean8 check_only' instead of 'uint8 check_only'
Stefan Metzmacher [Fri, 30 Jan 2015 08:01:58 +0000 (08:01 +0000)]
lsa.idl: use 'boolean8 check_only' instead of 'uint8 check_only'

This is only a cosmetic change to make the idl more verbose,
the resulting C code will still use 'uint8_t'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agolsa.idl: fix idl for lsa_ForestTrustRecordType
Stefan Metzmacher [Fri, 30 Jan 2015 08:01:58 +0000 (08:01 +0000)]
lsa.idl: fix idl for lsa_ForestTrustRecordType

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agosecurity.idl: add KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUP...
Stefan Metzmacher [Mon, 2 Feb 2015 22:14:38 +0000 (23:14 +0100)]
security.idl: add KERB_ENCTYPE_{FAST_SUPPORTED,COMPOUND_IDENTITY_SUPPORTED,CLAIMS_SUPPORTED,RESOURCE_SID_COMPRESSION_DISABLED}

These are not encryption types, but flags for specific kerberos features.

See [MS-KILE] 2.2.6 Supported Encryption Types Bit Flags.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agonetlogon.idl: remove netr_SupportedEncTypes and use kerb_EncTypes instead
Stefan Metzmacher [Mon, 2 Feb 2015 22:14:38 +0000 (23:14 +0100)]
netlogon.idl: remove netr_SupportedEncTypes and use kerb_EncTypes instead

These are the same.

We keep the old defines arround in order to avoid a lot of changes
in the callers.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agonetlogon.idl: netr_ServerPasswordGet returns NTSTATUS not WERROR.
Günther Deschner [Tue, 18 Dec 2012 14:27:06 +0000 (15:27 +0100)]
netlogon.idl: netr_ServerPasswordGet returns NTSTATUS not WERROR.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agonetlogon.idl: improve idl for netr_ServerTrustPasswordsGet()
Stefan Metzmacher [Mon, 9 Mar 2015 12:18:38 +0000 (13:18 +0100)]
netlogon.idl: improve idl for netr_ServerTrustPasswordsGet()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoldb-samba: implement --show-binary for msDS-RevealedUsers
Stefan Metzmacher [Fri, 6 Mar 2015 17:07:15 +0000 (18:07 +0100)]
ldb-samba: implement --show-binary for msDS-RevealedUsers

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agodrsblobs.idl: make replPropertyMetaData1 public
Stefan Metzmacher [Thu, 5 Mar 2015 15:21:18 +0000 (16:21 +0100)]
drsblobs.idl: make replPropertyMetaData1 public

This is used as binary data for the msDS-RevealedUsers attribute.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:py_net: make domain and address fully optional to py_net_finddc
Stefan Metzmacher [Tue, 27 Jan 2015 21:46:06 +0000 (21:46 +0000)]
s4:py_net: make domain and address fully optional to py_net_finddc

E.g. address=None is now also possible.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:librpc: add auth_type=ncalrpc_as_system as binding option
Stefan Metzmacher [Mon, 26 Jan 2015 15:02:20 +0000 (16:02 +0100)]
s4:librpc: add auth_type=ncalrpc_as_system as binding option

In future we may want another way to trigger this,
but our current rpc libraries need a lot of cleanup before.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:trust_utils: store new trust/machine passwords before trying it remotely.
Stefan Metzmacher [Sat, 31 Jan 2015 10:42:09 +0000 (10:42 +0000)]
s4:trust_utils: store new trust/machine passwords before trying it remotely.

If this fails we can still fallback to the old password...

Before trying the password change we verify the dc knows our current password.

This should make the password changes much more robust.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:winbindd: make open_internal_lsa_conn() non static
Stefan Metzmacher [Tue, 3 Feb 2015 15:22:25 +0000 (16:22 +0100)]
s3:winbindd: make open_internal_lsa_conn() non static

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:winbindd_cm: improve detection for the anonymous fallback.
Stefan Metzmacher [Wed, 11 Feb 2015 14:05:55 +0000 (15:05 +0100)]
s3:winbindd_cm: improve detection for the anonymous fallback.

If the kinit results in NT_STATUS_NO_LOGON_SERVERS, we should fallback,
if allowed.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusteddom_pw()
Stefan Metzmacher [Thu, 5 Feb 2015 09:26:23 +0000 (09:26 +0000)]
s3:pdb_samba_dsdb: implement pdb_samba_dsdb_set_trusteddom_pw()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:pdb_samba_dsdb: return the domain sid in pdb_samba_dsdb_get_trusteddom_pw()
Stefan Metzmacher [Thu, 5 Feb 2015 10:07:46 +0000 (10:07 +0000)]
s3:pdb_samba_dsdb: return the domain sid in pdb_samba_dsdb_get_trusteddom_pw()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:pdb_samba_dsdb: return the previous password and the kvno in pdb_samba_dsdb_get_tr...
Stefan Metzmacher [Fri, 30 Jan 2015 16:53:40 +0000 (16:53 +0000)]
s3:pdb_samba_dsdb: return the previous password and the kvno in pdb_samba_dsdb_get_trusteddom_creds()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:rpc_client: remove unused cli_rpc_pipe_open_schannel_with_key()
Stefan Metzmacher [Mon, 9 Feb 2015 10:33:05 +0000 (11:33 +0100)]
s3:rpc_client: remove unused cli_rpc_pipe_open_schannel_with_key()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:libnet: use cli_credentials based functions in libnet_join_ok()
Stefan Metzmacher [Mon, 9 Feb 2015 10:29:49 +0000 (11:29 +0100)]
s3:libnet: use cli_credentials based functions in libnet_join_ok()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:auth_domain: make use of cli_rpc_pipe_open_schannel()
Stefan Metzmacher [Mon, 9 Feb 2015 08:52:45 +0000 (09:52 +0100)]
s3:auth_domain: make use of cli_rpc_pipe_open_schannel()

This simplifies a lot and allows the previous password to be used.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:auth_domain: fix talloc problem in connect_to_domain_password_server()
Stefan Metzmacher [Mon, 9 Feb 2015 09:33:01 +0000 (10:33 +0100)]
s3:auth_domain: fix talloc problem in connect_to_domain_password_server()

return values of connect_to_domain_password_server() need to be exported
to the callers memory context.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:rpcclient: make use of rpccli_[create|setup]_netlogon_creds_with_creds()
Stefan Metzmacher [Mon, 9 Feb 2015 08:25:35 +0000 (09:25 +0100)]
s3:rpcclient: make use of rpccli_[create|setup]_netlogon_creds_with_creds()

This passing struct cli_credentials allows the usage of the previous password.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:rpc_client: handle !NETLOGON_NEG_AUTHENTICATED_RPC in cli_rpc_pipe_open_schannel()
Stefan Metzmacher [Mon, 9 Feb 2015 09:05:37 +0000 (10:05 +0100)]
s3:rpc_client: handle !NETLOGON_NEG_AUTHENTICATED_RPC in cli_rpc_pipe_open_schannel()

This is only allowed with special config options ("client schannel = no",
"require strong key = no" and "reject md5 servers = no").
By default we require NETLOGON_NEG_AUTHENTICATED_RPC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:rpc_client: use cli_credentials based functions in cli_rpc_pipe_open_schannel()
Stefan Metzmacher [Mon, 9 Feb 2015 08:34:45 +0000 (09:34 +0100)]
s3:rpc_client: use cli_credentials based functions in cli_rpc_pipe_open_schannel()

This simplifies the code and allows the previous password to be passed
through the stack.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:rpc_client: remove unused auth_level paramter of cli_rpc_pipe_open_schannel()
Stefan Metzmacher [Mon, 9 Feb 2015 08:49:16 +0000 (09:49 +0100)]
s3:rpc_client: remove unused auth_level paramter of cli_rpc_pipe_open_schannel()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos3:cli_netlogon: cli_credentials_get_old_nt_hash() in rpccli_setup_netlogon_creds_wit...
Stefan Metzmacher [Fri, 30 Jan 2015 16:54:06 +0000 (16:54 +0000)]
s3:cli_netlogon: cli_credentials_get_old_nt_hash() in rpccli_setup_netlogon_creds_with_creds()

This way we'll fallback to use the previous machine/trust account password
if required.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoauth/credentials: add cli_credentials_set_old_utf16_password()
Stefan Metzmacher [Fri, 30 Jan 2015 16:20:27 +0000 (16:20 +0000)]
auth/credentials: add cli_credentials_set_old_utf16_password()

This is required to set the previous trust account password.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoauth/credentials: add cli_credentials_[g|s]et_old_nt_hash()
Stefan Metzmacher [Mon, 9 Feb 2015 08:04:42 +0000 (09:04 +0100)]
auth/credentials: add cli_credentials_[g|s]et_old_nt_hash()

The machine and trust accounts it's important to retry
netr_Authenticate3() with the previous (old) nt_hash.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoauth/credentials: add a missing talloc check to cli_credentials_set_nt_hash()
Stefan Metzmacher [Mon, 9 Feb 2015 08:06:32 +0000 (09:06 +0100)]
auth/credentials: add a missing talloc check to cli_credentials_set_nt_hash()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agos4:pydsdb: add DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID
Stefan Metzmacher [Wed, 21 Jan 2015 13:44:44 +0000 (14:44 +0100)]
s4:pydsdb: add DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoselftest: Change testsuite to use a samAccountName with a space in it
Andrew Bartlett [Thu, 12 Mar 2015 00:43:49 +0000 (13:43 +1300)]
selftest: Change testsuite to use a samAccountName with a space in it

This shows that the previous patch is correct

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agokdc: Ensure we cope with a samAccountName with a space in it
Andrew Bartlett [Thu, 12 Mar 2015 00:29:56 +0000 (13:29 +1300)]
kdc: Ensure we cope with a samAccountName with a space in it

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agodsdb: Ensure we cope with a samAccountName with a space in it in DsCrackName()
Andrew Bartlett [Thu, 12 Mar 2015 00:29:56 +0000 (13:29 +1300)]
dsdb: Ensure we cope with a samAccountName with a space in it in DsCrackName()

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoselftest: Change testsuite to use a UPN with a space in it
Andrew Bartlett [Wed, 11 Mar 2015 23:56:56 +0000 (12:56 +1300)]
selftest: Change testsuite to use a UPN with a space in it

This shows that the previous patch is correct

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoselftest: fix the basedn for local accounts in non-DC environments e.g. s4member
Stefan Metzmacher [Thu, 12 Mar 2015 09:43:57 +0000 (10:43 +0100)]
selftest: fix the basedn for local accounts in non-DC environments e.g. s4member

open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
doesn't generate an error if the command fails...

'testallowed' is a local account here, with a dn of
CN=testallowed,CN=Users,DC=S4MEMBER instead of domain user
CN=testallowed,CN=Users,DC=samba,DC=example,DC=com

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agodsdb: Allow spaces in userPrincipalName values
Andrew Bartlett [Wed, 11 Mar 2015 23:50:23 +0000 (12:50 +1300)]
dsdb: Allow spaces in userPrincipalName values

This is needed to enable a kinit with a UPN that has a space in it

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoheimdal:lib/krb5: let build_logon_name() use KRB5_PRINCIPAL_UNPARSE_DISPLAY
Stefan Metzmacher [Tue, 10 Mar 2015 14:33:14 +0000 (15:33 +0100)]
heimdal:lib/krb5: let build_logon_name() use KRB5_PRINCIPAL_UNPARSE_DISPLAY

An ENTERPRISE principal should result in 'administrator@S4XDOM.BASE'
instead of 'administrator\@S4XDOM.BASE'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoheimdal:lib/krb5: allow enterprise principals in verify_logonname()
Stefan Metzmacher [Tue, 10 Mar 2015 14:36:01 +0000 (15:36 +0100)]
heimdal:lib/krb5: allow enterprise principals in verify_logonname()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agotorture-krb5: Test accepting the ticket to ensure PAC is well-formed
Andrew Bartlett [Wed, 11 Mar 2015 02:58:36 +0000 (15:58 +1300)]
torture-krb5: Test accepting the ticket to ensure PAC is well-formed

A future test will ask for impersonation to a different user, and
validate returned principal and the PAC matches that user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoauth/kerberos: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY in kerberos_create_pac()
Andrew Bartlett [Wed, 11 Mar 2015 22:27:57 +0000 (11:27 +1300)]
auth/kerberos: Use KRB5_PRINCIPAL_UNPARSE_DISPLAY in kerberos_create_pac()

This ensures that in the all-Samba PAC creation code, we do not escape a space character if present
in the logon name.  This matches what we do in the Heimdal code in the KDC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoauth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison
Andrew Bartlett [Wed, 11 Mar 2015 02:57:06 +0000 (15:57 +1300)]
auth/kerberos: Do a string comparison in kerberos_decode_pac() not a principal comparison

This ensures that if an enterprise principal is used, we do the
comparison properly

This matters as in the enterprise case, which can be triggered by MIT
kinit -E, does not use canonicalization, and so the enterprise name,
with the @ in it, is in the logon name.

Otherwise, we get errors like:
 Name in PAC [TESTALLOWED@WIN2012R2] does not match principal name in ticket

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoheimdal:krb5.asn1: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
Stefan Metzmacher [Tue, 10 Mar 2015 11:38:55 +0000 (12:38 +0100)]
heimdal:krb5.asn1: remove KRB5_PADATA_CLIENT_CANONICALIZED handling

This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.

The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoheimdal:kdc: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
Stefan Metzmacher [Tue, 10 Mar 2015 11:38:55 +0000 (12:38 +0100)]
heimdal:kdc: remove KRB5_PADATA_CLIENT_CANONICALIZED handling

This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.

The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoheimdal:lib/krb5: remove KRB5_PADATA_CLIENT_CANONICALIZED handling
Stefan Metzmacher [Tue, 10 Mar 2015 11:38:55 +0000 (12:38 +0100)]
heimdal:lib/krb5: remove KRB5_PADATA_CLIENT_CANONICALIZED handling

This got removed between draft-ietf-krb-wg-kerberos-referrals-11.txt
and the final rfc6806.txt.

The number 133 was reassigned to PA-FX-COOKIE in rfc6113.txt.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
4 years agoselftest: also test python.samba.tests.posixacl against plugin_s4_dc_no_nss
Michael Adam [Thu, 5 Mar 2015 13:43:54 +0000 (14:43 +0100)]
selftest: also test python.samba.tests.posixacl against plugin_s4_dc_no_nss

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Michael Adam <obnox@samba.org>
Autobuild-Date(master): Thu Mar 12 17:12:11 CET 2015 on sn-devel-104

4 years agoselftest: add a new environment plugin_s4_dc_no_nss
Michael Adam [Thu, 5 Mar 2015 12:22:35 +0000 (13:22 +0100)]
selftest: add a new environment plugin_s4_dc_no_nss

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
4 years agoselftest: extend setup_plugin_s4_dc to allow for not using nss_winbindd
Michael Adam [Thu, 5 Mar 2015 12:22:07 +0000 (13:22 +0100)]
selftest: extend setup_plugin_s4_dc to allow for not using nss_winbindd

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
4 years agoselftest: modify python.samba.test.posixacl to cope with nss_winbind active
Michael Adam [Tue, 17 Feb 2015 15:06:49 +0000 (16:06 +0100)]
selftest: modify python.samba.test.posixacl to cope with nss_winbind active

It was observed that adding libnss_winbind (via nss_wrapper) lets
the posix acl mapping come out slightly differently with respect
to the owner/domain admin who is not explicitly nailed down in
the original NT acl.

This patch extends the test to react to the presence of
nss_winbind in environment and adapts the expected results.
This in particular fixes the run of the test against the
(changed) plugin_s4_dc environment while keeping the possibility
to successfully run it against an env without nss_winbind.

Pair-Programmed-With: Guenther Deschner <gd@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
4 years agobrlock: Use 0 instead of empty initializer list
Christof Schmitt [Wed, 11 Mar 2015 22:54:55 +0000 (15:54 -0700)]
brlock: Use 0 instead of empty initializer list

C does not allow empty initializer lists. Although gcc accepts that, the
SunOS compiler fails in this case with an error.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11153

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Christof Schmitt <cs@samba.org>
Autobuild-Date(master): Thu Mar 12 02:49:36 CET 2015 on sn-devel-104

4 years agolib/util: Include DEBUG macro in internal header files before samba_util.h
Lukas Slebodnik [Thu, 5 Mar 2015 10:26:46 +0000 (11:26 +0100)]
lib/util: Include DEBUG macro in internal header files before samba_util.h

It's best practice to include external header files before internal
header files. In this case internal DEBUG macro cannot be defined and
therefore samba version of debug macro will be included
in header file "util/fault.h".

In file included from example.c:27:0:
src/util/util.h:127:0: error: "DEBUG" redefined [-Werror]
 #define DEBUG(level, format, ...) do { \
 ^
In file included from /usr/include/samba-4.0/util/fault.h:29:0,
                 from /usr/include/samba-4.0/samba_util.h:62,
                 from /usr/include/samba-4.0/ndr.h:30,
                 from example.c:24:
/usr/include/samba-4.0/util/debug.h:182:0: note: this is the location of the previous definition
 #define DEBUG( level, body ) \
 ^
  CC       src/providers/ad/libsss_ad_common_la-ad_domain_info.lo
cc1: all warnings being treated as errors

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11033

Signed-off-by: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Mar 11 18:47:22 CET 2015 on sn-devel-104

4 years agosmbd: Simplify create_token_from_sid()
Volker Lendecke [Tue, 10 Mar 2015 20:13:56 +0000 (21:13 +0100)]
smbd: Simplify create_token_from_sid()

This if-statement is unnecessary. First, talloc_array returns non-NULL
even if asked for 0 elements. Second, a bit further down we do a

SMB_ASSERT(num_group_sids > 0);

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbd: Simplify create_token_from_sid()
Volker Lendecke [Tue, 10 Mar 2015 20:09:53 +0000 (21:09 +0100)]
smbd: Simplify create_token_from_sid()

With the previous commit all 3 branches do the same

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbd: Streamline the gids handling in create_token_from_sid()
Volker Lendecke [Tue, 10 Mar 2015 20:03:15 +0000 (21:03 +0100)]
smbd: Streamline the gids handling in create_token_from_sid()

Usually, I'm all for avoiding talloc. But in this case I believe that this
routine is complex enough to justify this change. For an hour or so I suspect
that the winbind case had an uninitialized "*gid" until I discovered the
sid_to_gid(). This makes it more obvious that *gid is assigned.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbd: Put a variable definition closer to its use
Volker Lendecke [Tue, 10 Mar 2015 19:55:22 +0000 (20:55 +0100)]
smbd: Put a variable definition closer to its use

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolib: Avoid a malloc/realloc in getgroups_unix_user
Volker Lendecke [Mon, 9 Mar 2015 21:04:04 +0000 (22:04 +0100)]
lib: Avoid a malloc/realloc in getgroups_unix_user

This avoids a malloc/free in the most common case of a user with just a few
group memberships

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolib: Fix whitespace
Volker Lendecke [Mon, 9 Mar 2015 20:44:04 +0000 (21:44 +0100)]
lib: Fix whitespace

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoctdb: Fix CID 1288201 Array compared against 0
Volker Lendecke [Wed, 11 Mar 2015 10:58:11 +0000 (10:58 +0000)]
ctdb: Fix CID 1288201 Array compared against 0

"helper_prog" is now declared as a static array

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoidl: define FSCTL_DUPLICATE_EXTENTS_TO_FILE
David Disseldorp [Fri, 30 Jan 2015 10:47:53 +0000 (11:47 +0100)]
idl: define FSCTL_DUPLICATE_EXTENTS_TO_FILE

As specified in the recent 20150129 revision of MS-FSCC.
Add a note regarding the FileHandle field, which was confirmed to
correspond to the volatile part of the fileid:
https://lists.samba.org/archive/samba-technical/2015-February/105454.html

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agotdb: Fix CID 1034842 Resource leak
Volker Lendecke [Sun, 8 Mar 2015 19:21:23 +0000 (19:21 +0000)]
tdb: Fix CID 1034842 Resource leak

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Mar 11 00:23:20 CET 2015 on sn-devel-104

4 years agotdb: Fix CID 1034841 Resource leak
Volker Lendecke [Sun, 8 Mar 2015 19:18:21 +0000 (19:18 +0000)]
tdb: Fix CID 1034841 Resource leak

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
4 years agolib: Fix CID 1034840 Resource leak
Volker Lendecke [Sun, 8 Mar 2015 19:12:11 +0000 (19:12 +0000)]
lib: Fix CID 1034840 Resource leak

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
4 years agolib: Fix CID 1034839 Resource leak
Volker Lendecke [Sun, 8 Mar 2015 19:10:50 +0000 (19:10 +0000)]
lib: Fix CID 1034839 Resource leak

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
4 years agolib: Fix CID 1034838 Resource leak
Volker Lendecke [Sun, 8 Mar 2015 19:06:38 +0000 (19:06 +0000)]
lib: Fix CID 1034838 Resource leak

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
4 years agosmbcontrol: Simplify do_winbind_offline
Volker Lendecke [Sat, 7 Mar 2015 11:39:05 +0000 (11:39 +0000)]
smbcontrol: Simplify do_winbind_offline

This saves 128 bytes of .text on x86-64 with -O3. No idea why...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
4 years agolibreplace: Fix CID 1034926 Destination buffer too small
Volker Lendecke [Sat, 7 Mar 2015 11:24:33 +0000 (11:24 +0000)]
libreplace: Fix CID 1034926 Destination buffer too small

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
4 years agoctdb: Fix 1125553 Buffer not null terminated
Volker Lendecke [Sat, 7 Mar 2015 10:29:21 +0000 (10:29 +0000)]
ctdb: Fix 1125553 Buffer not null terminated

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
4 years agoregistry: Fix CID 240989 Buffer not null terminated
Volker Lendecke [Sat, 7 Mar 2015 10:24:18 +0000 (10:24 +0000)]
registry: Fix CID 240989 Buffer not null terminated

This makes it clearer that we don't really have a string in .hdr

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
4 years agoregistry: Fix CID 241075 Unchecked return value
Volker Lendecke [Fri, 6 Mar 2015 11:02:49 +0000 (11:02 +0000)]
registry: Fix CID 241075 Unchecked return value

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ira Cooper <ira@samba.org>
4 years agotorture4: Fix systems with a 32-bit "long"
Volker Lendecke [Tue, 10 Mar 2015 10:52:36 +0000 (11:52 +0100)]
torture4: Fix systems with a 32-bit "long"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan (metze) Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue Mar 10 18:05:13 CET 2015 on sn-devel-104

4 years agoctdb-daemon: Use statically allocated arrays for helper paths
Martin Schwenke [Fri, 6 Mar 2015 03:05:23 +0000 (14:05 +1100)]
ctdb-daemon: Use statically allocated arrays for helper paths

The use of talloc with a static variable is somewhat confusing.
Statically allocate an array and use ctdb_set_helper() instead.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
4 years agoctdb-common: New function ctdb_set_helper()
Martin Schwenke [Fri, 6 Mar 2015 20:22:32 +0000 (07:22 +1100)]
ctdb-common: New function ctdb_set_helper()

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
4 years agoUpdate libwbclient version to 0.12
Matthew Newton [Sun, 1 Mar 2015 23:14:07 +0000 (23:14 +0000)]
Update libwbclient version to 0.12

Increment the minor version of the libwbclient library after new
context functions added. (Major version increase not required as
the only two functions with changed parameters are private to the
library.)

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 10 03:24:45 CET 2015 on sn-devel-104

4 years agoMove wbc global variables into global context instead
Matthew Newton [Sun, 22 Feb 2015 23:31:48 +0000 (23:31 +0000)]
Move wbc global variables into global context instead

There are some global variables in use in the libwbclient
library. Now that we have a context, move these into it so that
they are thread-safe when the wbcCtx* functions are used.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoAdd context versions of wbclient functions
Matthew Newton [Sat, 21 Feb 2015 22:30:11 +0000 (22:30 +0000)]
Add context versions of wbclient functions

To make the libwbclient library thread-safe, all functions
that call through to wb_common winbindd_request_response need
to have context that they can use. This commit adds all the
necessary functions.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoAdd wbcContext to wbcRequestResponse
Matthew Newton [Sat, 24 Jan 2015 00:30:00 +0000 (00:30 +0000)]
Add wbcContext to wbcRequestResponse

To enable libwbclient to pass winbindd context through
to the winbind client library in wb_common.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoAdd wbcContext struct, create and free functions
Matthew Newton [Sat, 21 Feb 2015 00:19:32 +0000 (00:19 +0000)]
Add wbcContext struct, create and free functions

The basic context structure and functions for libwbclient so that
libwbclient can be made thread-safe.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoUse global context for winbindd_request_response
Matthew Newton [Fri, 23 Jan 2015 23:58:53 +0000 (23:58 +0000)]
Use global context for winbindd_request_response

Updating API call in libwbclient, wbinfo, ntlm_auth and
winbind_nss_* as per previous commit to wb_common.c.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoMake winbind client library thread-safe by adding context
Matthew Newton [Fri, 23 Jan 2015 22:35:50 +0000 (22:35 +0000)]
Make winbind client library thread-safe by adding context

Rather than keep state in global variables, store the current
context such as the winbind file descriptor in a struct that is
passed in. This makes the winbind client library thread-safe.

Signed-off-by: Matthew Newton <matthew-git@newtoncomputing.co.uk>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agotorture/ioctl: add range overflow QAR test
David Disseldorp [Mon, 9 Mar 2015 15:21:24 +0000 (16:21 +0100)]
torture/ioctl: add range overflow QAR test

Issue a QAR request with an offset and length that generate an integer
(uint64_t) overflow when summed together. This should result in an
NT_STATUS_INVALID_PARAMETER response, as confirmed against Windows
Server 2012 & 2008.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 10 00:02:18 CET 2015 on sn-devel-104

4 years agotorture/ioctl: add multi-range QAR test
David Disseldorp [Thu, 26 Feb 2015 00:13:58 +0000 (01:13 +0100)]
torture/ioctl: add multi-range QAR test

Write 10 x 64K ranges, with 64K holes punched in between. Afterwards,
check that all ranges are present in the QAR response.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agotorture/ioctl: add QAR off-by-one bug paranoia test
David Disseldorp [Wed, 25 Feb 2015 18:23:49 +0000 (19:23 +0100)]
torture/ioctl: add QAR off-by-one bug paranoia test

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agotorture/ioctl: test sparse file operation locking
David Disseldorp [Wed, 25 Feb 2015 14:29:56 +0000 (15:29 +0100)]
torture/ioctl: test sparse file operation locking

An exclusively locked file can still be marked sparse. QAR requests
covering the locked-range should also succed. ZERO_DATA requests are
blocked.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos3/smbd: fix FSCTL_SET_SPARSE permission checks
David Disseldorp [Mon, 23 Feb 2015 19:27:37 +0000 (20:27 +0100)]
s3/smbd: fix FSCTL_SET_SPARSE permission checks

On Windows servers (tested against Windows Server 2008 & 2012) the
FSCTL_SET_SPARSE ioctl is processed if FILE_WRITE_DATA,
FILE_WRITE_ATTRIBUTES _or_ SEC_FILE_APPEND_DATA permissions are granted
on the open file-handle.
Fix Samba such that it matches this behaviour, rather than only checking
for FILE_WRITE_DATA or FILE_WRITE_ATTRIBUTES.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agotorture/ioctl: add ioctl_sparse_perms test
David Disseldorp [Mon, 23 Feb 2015 19:24:11 +0000 (20:24 +0100)]
torture/ioctl: add ioctl_sparse_perms test

This test confirms that correct FSCTL_SET_SPARSE permission checks are
in place on the server.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agotorture/ioctl: rework and reduce pattern helper IO sizes
David Disseldorp [Mon, 23 Feb 2015 19:03:19 +0000 (20:03 +0100)]
torture/ioctl: rework and reduce pattern helper IO sizes

check_pattern() currently attempts to read all data in one go. Fix it to
use a 64K maximum IO size so that it works against Windows Server 2008.

Additionally, rework write_pattern() so that it only allocates a buffer
for the largest IO size (now 64K), rather than for the full write
length.

Finally, assert that callers are correctly performing pattern IO in
8-byte increments - copy_chunk_tiny was not, so fix it.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agotorture/ioctl: add sparse_punch_invalid test
David Disseldorp [Mon, 23 Feb 2015 10:29:52 +0000 (11:29 +0100)]
torture/ioctl: add sparse_punch_invalid test

Attempt to extend a file using ZERO_DATA. The operation should succeed,
but the file should not be extended, as specified in MS-FSCC <58>
Section 2.3.65:
  This FSCTL sets the range of bytes to zero (0) without extending the
  file size.

Also test zero length and invalid BFZ requests.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agotorture/ioctl: remove FS specific sparse copy-chunk expectations
David Disseldorp [Mon, 23 Feb 2015 10:28:17 +0000 (11:28 +0100)]
torture/ioctl: remove FS specific sparse copy-chunk expectations

NTFS deallocates an entire file when a sparse zero-data request spans
the full length. Other filesystems (e.g. EXT4 and Btrfs) do not.

vfs_btrfs is additionally capable of preserving sparse regions for
copy-chunk, using the BTRFS_IOC_CLONE_RANGE ioctl. This should not be
treated as a failure.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agotorture/ioctl: remove FS specific sparse punch check
David Disseldorp [Mon, 23 Feb 2015 10:09:02 +0000 (11:09 +0100)]
torture/ioctl: remove FS specific sparse punch check

Samba uses PUNCH_HOLE to zero a range, and subsequently uses fallocate()
to allocate the punched range if the file is marked non-sparse and
"strict allocate" is enabled.

In both cases, the zeroed range will not be detected by SEEK_DATA, so
the range won't be present in QAR responses until the file is marked
non-sparse again.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agotorture/ioctl: remove 64K chunk size assumptions
David Disseldorp [Thu, 19 Feb 2015 15:09:02 +0000 (16:09 +0100)]
torture/ioctl: remove 64K chunk size assumptions

These tests assumed that 4K chunks remain allocated following write at
a subsequent offset. This is not the case for other filesystems (E.g.
XFS, Btrfs, Etc.), which may deallocate the chunk.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos3/statvfs: expose FILE_SUPPORTS_SPARSE_FILES capability
David Disseldorp [Thu, 19 Feb 2015 15:46:56 +0000 (16:46 +0100)]
s3/statvfs: expose FILE_SUPPORTS_SPARSE_FILES capability

Samba now supports:
- FSCTL_SET_SPARSE
- FSCTL_SET_ZERO_DATA, via FALLOC_FL_PUNCH_HOLE
- FSCTL_QUERY_ALLOCATED_RANGES, via SEEK_DATA/SEEK_HOLE

As such, flag support for sparse files, via the
FILE_SUPPORTS_SPARSE_FILES capability flag if FALLOC_FL_PUNCH_HOLE and
SEEK_DATA/SEEK_HOLE are present at configure time.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbd/ioctl: add FSCTL_QUERY_ALLOCATED_RANGES support
David Disseldorp [Thu, 19 Feb 2015 15:36:05 +0000 (16:36 +0100)]
smbd/ioctl: add FSCTL_QUERY_ALLOCATED_RANGES support

This change implements support for FSCTL_QUERY_ALLOCATED_RANGES using
the SEEK_HOLE/SEEK_DATA functionality of lseek().

Files marked non-sparse are always reported by the ioctl as fully
allocated, regardless of any potential "strict allocate = no" savings.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agobuild: check for SEEK_HOLE and SEEK_DATA support
David Disseldorp [Thu, 19 Feb 2015 14:53:56 +0000 (15:53 +0100)]
build: check for SEEK_HOLE and SEEK_DATA support

SEEK_HOLE and SEEK_DATA will be used in the implementation of
FSCTL_QUERY_ALLOCATED_RANGES support.

"SEEK_DATA and SEEK_HOLE are nonstandard extensions also present
 in Solaris, FreeBSD, and DragonFly BSD; they are proposed for
 inclusion in the next POSIX revision (Issue 8)."

With Linux they are supported on:
-  Btrfs (since Linux 3.1)
-  OCFS (since Linux 3.2)
-  XFS (since Linux 3.5)
-  ext4 (since Linux 3.8)
-  tmpfs (since Linux 3.8)

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agoidl/ioctl: change QAR response array to a DATA_BLOB
David Disseldorp [Thu, 12 Feb 2015 09:58:20 +0000 (10:58 +0100)]
idl/ioctl: change QAR response array to a DATA_BLOB

[MS-FSCC] specifies:
  The number of FILE_ALLOCATED_RANGE_BUFFER elements returned is
  computed by dividing the size of the returned output buffer (from
  either SMB or SMB2, the lower-layer protocol that carries the FSCTL)
  by the size of the FILE_ALLOCATED_RANGE_BUFFER element.

Ideally, this requirement could be defined in idl with the following:
  [flag(NDR_REMAINING)] file_alloced_range_buf array[];

However, this is not currently supported by PIDL, so just use an opaque
data blob for now.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosmbd/ioctl: add FSCTL_SET_ZERO_DATA support
David Disseldorp [Tue, 10 Feb 2015 23:24:16 +0000 (00:24 +0100)]
smbd/ioctl: add FSCTL_SET_ZERO_DATA support

FSCTL_SET_ZERO_DATA can be used in two ways.
- When requested against a file marked as sparse, it provides a
  mechanism for requesting that the server deallocate the underlying
  disk space for the corresponding zeroed range.
- When requested against a non-sparse file, it indicates that the server
  should allocate and zero the corresponding range.

Both use cases can be handled in Samba using fallocate(). The Linux
specific FALLOC_FL_PUNCH_HOLE flag can be used to deallocate the
underlying disk space. After doing so, a normal fallocate() call can
be used to ensure that the zeroed range is allocated on non-sparse
files.

FSCTL_SET_ZERO_DATA requests must not result in a change to the file
size. The FSCTL_SET_ZERO_DATA handler always calls fallocate() with the
KEEP_SIZE flag set, ensuring that Samba meets this requirement.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agosystem: add hole punch support to sys_fallocate()
David Disseldorp [Tue, 10 Feb 2015 13:32:07 +0000 (14:32 +0100)]
system: add hole punch support to sys_fallocate()

If Samba is configured with FALLOC_FL_PUNCH_HOLE support, then allow
sys_fallocate() to propogate the flag to syscall invocation.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agobuild: check for fallocate hole-punch support
David Disseldorp [Mon, 9 Feb 2015 18:39:06 +0000 (19:39 +0100)]
build: check for fallocate hole-punch support

Add a configure time check for the FALLOC_FL_PUNCH_HOLE Linux specific
fallocate() flag. It's been around since 2.6.38.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos3/vfs: change fallocate mode flags from enum->uint32_t
David Disseldorp [Mon, 9 Feb 2015 17:21:59 +0000 (18:21 +0100)]
s3/vfs: change fallocate mode flags from enum->uint32_t

The Linux fallocate syscall offers a mode parameter which can take the
following flags:
FALLOC_FL_KEEP_SIZE
FALLOC_FL_PUNCH_HOLE (since 2.6.38)
FALLOC_FL_COLLAPSE_RANGE (since 3.15)
FALLOC_FL_ZERO_RANGE (since 3.14)

The flags are not exclusive, e.g. FALLOC_FL_PUNCH_HOLE must be specified
alongside FALLOC_FL_KEEP_SIZE.

Samba currently takes a vfs_fallocate_mode enum parameter for the VFS
fallocate hook, taking either an EXTEND_SIZE or KEEP_SIZE value. This
commit changes the fallocate hook such that it accepts a uint32_t flags
parameter, in preparation for PUNCH_HOLE and ZERO_RANGE support.

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agolib/system: remove useless HAVE_LINUX_FALLOCATE64 logic
David Disseldorp [Mon, 9 Feb 2015 14:51:28 +0000 (15:51 +0100)]
lib/system: remove useless HAVE_LINUX_FALLOCATE64 logic

Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
4 years agos3-winbind: Fix chached user group lookup of trusted domains.
Michael Adam [Mon, 9 Mar 2015 14:15:37 +0000 (15:15 +0100)]
s3-winbind: Fix chached user group lookup of trusted domains.

If a user group lookup has aleady been done before with a machine
account we did always return the incomplete information from the cache.
This patch makes sure we return the correct group information from the
netsamlogon cache.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11143

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Mar  9 19:23:25 CET 2015 on sn-devel-104

4 years agotorture-krb5: Add an initial test for s4u2self behaviour
Andrew Bartlett [Sun, 8 Mar 2015 22:12:01 +0000 (11:12 +1300)]
torture-krb5: Add an initial test for s4u2self behaviour

This test only checks for S4U2Self of the same user, but shows
that a user account is not a valid service for this purpose.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Mar  9 12:10:09 CET 2015 on sn-devel-104

4 years agokdc: Fix S4U2Self handling with KRB5_NT_ENTERPRISE_PRINCIPAL containing a UPN
Andrew Bartlett [Mon, 9 Mar 2015 03:00:56 +0000 (16:00 +1300)]
kdc: Fix S4U2Self handling with KRB5_NT_ENTERPRISE_PRINCIPAL containing a UPN

This is now handled properly by samba_kdc_lookup_server() and this wrapper actually
breaks things.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>